1. Field of the Invention
The present invention relates to communication systems, in particular, to data packet security using security associations.
2. Description of the Related Art
Internet Protocol Security (IPsec) is a set of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting IP packets in a data stream. IPsec includes protocols for establishing mutual authentication and negotiation of cryptographic keys, which might protect data flows between two or more host devices (e.g., computers or servers), between a pair of security gateways (e.g., routers or firewalls), or between a security gateway and a host device. The IPsec protocol is specified by the Internet Engineering Task Force (IETF) in a series of Requests for Comment (RFCs). Other network protocol standards, such as Secure Real-time Transport Protocol (SRTP), Transport Layer Security (TLS) and Secure Socket Layer (SSL) also define similar security services. Network protocol standards share information required for security processing through the use of security associations (SAs). For example, every packet entering security processing might have an associated SA which provides necessary information to encrypt or decrypt the packet. SAs contain important security information for two network entities during secured conversation. An SA might contain security attributes such as a crypto key, a hasher key, an initialization vector, and reuse context such as anti-replay information and RC4 states. The framework for establishing SAs is provided by the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is officially specified by the IETF in RFC 2408.
In general, a packet's SA is sent as part of the packet's header. The packet's header might contain an SA index to identify the SA of the sending network entity. When security processing is performed on a received packet, the packet's corresponding SA is typically fetched from memory. Throughput might be limited during security processing on packets with large SAs where the security processing is done in stages. Throughput might also be limited during security processing by reuse context in the SA. For example, existing approaches to security processing using SA with reuse context might have to wait for a packet to complete processing before beginning the processing of a subsequent packet that uses the same reuse context in the SA.